Microsoft IIS, Let’s Encrypt, and URL Rewrite

There is an abundance of information on the Internet that will walk you through setting up Apache or Nginx and getting your first website up and running. That same information for Microsoft’s web server, Internet Information Services, can be hard to find and even harder to piece together. This post will walk through setting up IIS with a brand-new website, granting it an SSL Certificate with Let’s Encrypt, and using the URL Rewrite module to force visitors to use HTTPS.

As far as I am aware, most if not all of this guide will apply to IIS 7 through 10 as well as Windows Azure Web Sites, but as I only have access to IIS 8.5 I cannot confirm that.

Contents:

1. Installing and Configuring Internet Information Services Setup
2. Creating an SSL Certificate with Let’s Encrypt
3. Using URL Rewrite to force HTTPS

Internet Information Services Setup

Installing IIS

If you have not installed IIS already, you’ll need to do that first. Open Control Panel -> Programs and Features and click “Turn Windows Features on or off” in the sidebar. In the window that opens, check Internet Information Systems. The essentials should be selected, but you can check Internet Information Systems -> World Wide Web Services for any additional features that you might require, such as the CGI module for CGI web applications.

The Windows Features dialogue box with Internet Information Services selected for install.

Once you’ve selected everything you need, click the OK button. Windows will now install IIS and it’s required components. This may take a few minutes, depending on your hardware. You may need to restart your computer to finish the installation; do so if you are prompted. After this has finished, you can close all of the windows you just opened and you’re now ready to move on to setting up a website.

Setting up your first IIS site

Open the Internet Information Services (IIS) Manager by searching for it in the Start menu or by running inetmgr from the Run prompt. You should be presented with a window similar to the one below, though the icons may be in a different arrangement and your server and usernames will be different.

The default screen of the Internet Information Services Manager.

Right click on your server’s connection in the left pane (GLORY (glory\Delevingne in the image above) and select “Add Website”. Fill out the prompt that appears with the details appropriate to your new website:

• Site name: This is a purely descriptive name that you can give to your website that will only appear in IIS’s management software. I personally use the domain name, but you can put anything.
• Physical path: This is where your new website’s files will be located. I use C:\iis\sites\ for all of my websites, but again, you can use any directory. Be aware of the permissions of any existing directory that you use, as some permissions may grant public access to an important directory.
• Type, IP address and port: You will be adding a new binding for HTTPS later, so these can be left as their defaults for now. You may want to assign a specific IP address if you have more than one.
• Host name: This is the host portion of your URL (your domain). In this example, I use test.rauchland.com.

The completed “Add Website” dialogue.

Leave “Start Website immediately” checked and click ok. Now we have IIS running with a website being served – hooray!

Windows Firewall, Port Forwarding and DNS Settings

Depending on the existing setup of your server, local network, and domain name, you may have to make a few changes to allow access to your new website via your domain name or public IP address.

Windows Firewall

1. Go to Control Panel -> Windows Firewall and open “Allow an app or feature through Windows Firewall” from the sidebar.
2. Click the Change settings button at the top of the new page. You may have to approve a UAC access request.
3. Allow both of the following apps to communicate through Windows Firewall:
• World Wide Web Services (HTTP);
• Secure World Wide Web Services(HTTPS).
4. Click “OK” at the bottom of the Window.

Port Forwarding

1. Open your router’s configuration page. This is usually accessible via 192.168.0.1 in your web browser. If that doesn’t work, open command prompt (cmd.exe via the Run prompt) and enter ipconfig. Try the IP listed as your Default Gateway.
2. Find the Port Forwarding settings for your router and forward port 80 and port 443 on the IP address assigned to your server. If you don’t know your server’s IP, use the IPv4 Address produced by the ipconfig command referenced above.
3. Apply your changes. Depending on your router, this may take a few moments.

DNS Settings

1. If you don’t know how to change DNS settings, contact your domain name registrar or your web host and ask them to do it for you. Incorrect DNS settings can make your domain name inaccessible.
2. If you know how, add an A name record to your DNS zone that directs the appropriate domain (in my case, test.rauchland.com) to your public IP address. You can find your public IP address here.

After all of this, your website should now be accessible via the domain name you’ve been using, though you may be given an error page for attempting to access a directory that you don’t have permission to view – which is what we want! Let’s move on to setting up a free SSL Certificate, courtesy of Let’s Encrypt.

Let’s Encrypt – win-acme

We’re going to set up Let’s Encrypt the easy way. Download the latest release of win-acme from GitHub and extract the contents of the zip archive to a permanent directory. I extracted the contents to a Let’s Encrypt folder in my Program Files directory. We’ll be leaving all of the files where we put them after we’re done so that our SSL Certificate can automatically renew when it expires.

Run letsencrypt.exe. A command prompt window should open.

win-acme‘s initial output.

In the command prompt window, do the following:

1. Enter N to begin the process of creating a new certificate;
2. Enter 1 to create a certificate for a single site:
3. Enter the number that corresponds to the site you’ve created. It should be 1.

Once all of that is complete, you should have a fully functional Let’s Encrypt SSL Certificate installed and ready for configuration. If no errors were reported, your certificate will automatically renew, provided you don’t move or delete the files you extracted earlier.

Let’s Encrypt successfully creating a certificate for test.rauchland.com and setting up automated renewal.

Enabling HTTPS in IIS Manager

Now that we have a certificate, we can enable HTTPS on our website. Open the IIS Manager again. Underneath your server connection – where we added the new site on the first page – your new site should now be listed under the “Sites” heading. Right click on it in the list and select “Edit bindings”. You’ll be presented with the window shown below.

The “Site Bindings” window.

Let’s Encrypt should’ve automatically added a HTTPS binding on port 443 for you. If it hasn’t, click the Add button and fill in the prompt that appears with the appropriate type, port and host name. You may wish to specify the local IP address, too.

That’s all that’s required to get HTTPS to work. To make sure that the site is working, let’s add an index file to the site. Head to the directory that you specified as the physical path earlier on and create an index.html file within it. Use your preferred text editor to add the following code to it, then save it.

<!DOCTYPE html>
<html>
&Tab;<head>
&Tab;&Tab;<title>Hello World!</title>
&Tab;</head>
&Tab;<body>
&Tab;&Tab;<p>It's alive!</p>
&Tab;<body>
<html>

Visit your domain (via HTTPS) in your browser, et voilà! You should be greeted by this page.

The temporary index.html file served via HTTPS.

Last but not least, we can move on to using the IIS URL Rewrite module to ensure that our visitors are always directed to HTTPS.

Forcing HTTPS with URL Rewrite

URL Rewrite is IIS’s module for creating URL rewriting via HTTP headers and responses. It doesn’t come with the default install of IIS, so you will have to download it from the Microsoft website. You can find the module here.

Once the module is downloaded, run the installer and let it complete. Open the IIS Manager when the install has finished, and look for “URL Rewrite” within the manager.

The URL Rewrite module option within IIS Manager.

Go ahead and open the URL Rewrite window and click “Add Rule(s)” in the sidebar to the right. Select “Blank rule” in the new window and click the OK button. You’ll be presented with the “Edit Inbound Rule” panel.

• In the “Name” field at the top of the window, enter the name you wish to give the rule. I chose “HTTPS Redirect”;
• Under “Match URL”, set “Using” to Wildcards and enter (.*) in the “Pattern” field;
• Under “Conditions”, click the “Add” button and fill in the window that appears with the details shown below.
  
• Do not change anything under “Server Variables”;
• Under “Action”, set the “Action Type” to “Redirect”, the “Redirect URL” to https://{HTTP_HOST}{REQUEST_URI}, ensure that “Append query string” is ticked, and finally, set “Redirect type” to either 301 or 302. Consult this Stack Overflow question if you aren’t sure which type to use.

After you’ve entered all of the required information, click the “Apply” button in the sidebar to the right and your rule will be created. You should be returned to the previous pane, which should look like this.

The completed URL Rewrite rule.

Finally, attempt to access your domain via insecure HTTP – in my case, http://test.rauchland.com – and you should find your HTTPS redirect functioning perfectly! If for some reason it isn’t, restart your IIS server from the “Manage Server” options in the right-side sidebar.

Concluding Microsoft IIS 8.5, Let’s Encrypt and URL Rewrite

If everything went according to plan, you should now have a fully functional IIS installation hosting a site that will only be accessible via HTTPS, courtesy of Let’s Encrypt.

As always, drop a comment below or join my Discord server if you have any comments or questions.